If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Why do you pen test? - Once again, for me it is regulatory compliance (SOX, PCI, etc.) plus my boss is very security oriented (CISSM) and wants to make sure our holes are plugged before someone else finds it.

Why don't you pen test? - n/a

What is the value? - finding and patching a hole before it can be exploited. We are a multi billion dollar company and all of our business is done over the internet. If I can find and patch a hole that would have cost the company a few million dollars then I have done my job. If I don't find that hole, or we never even looked for it, then the company is hurt financially and their reputation is tarnished.

Who (what functions) should be doing the testing? - that is really going to depend on the type of business. We do both internal and external testing. The security department is not related to the rest of MIS/IT even though we work closely with them. We also contract out to a couple of different companies that do everything from full "black box" testing, to informed application testing.

Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

To maintain our compliance with BSI7799/ISO27000
We're not certified but we make best endevours to be compliant.

Why don't you pen test?
^

What is the value?

It's best practice and we use the results of a pen test to push for better practice in some areas where the guys can be sloppy if they're not checked.
It's also used to contruct action plans to reduce the organisations overall risk.

Who (what functions) should be doing the testing?

Annual pen test is carried out by a trusted 3rd party. The 3rd party should be rotated every couple of years.
Internally we plan to carry out a vulnerability test on new servers before they go live in the DMZ. This isn't to the same standard as a professional pen test. It would be carried out by me. I don't work for IT and have sufficient independence to do it (but not the training yet).

Originally posted here by thehorse13 1) Regulatory compliance line item (PCI, HSPD-12 and HIPAA in my case) for risk assessment. The GREATEST risk is the unknown. Unless you pen test, you don't know if there are vulnerabilities. Ask your management chain if they are willing to sign off on an unknown risk. Watch how fast the attitude changes.

Steve Katz sat at his desk, reading an e-mail that he had hoped never to see. An outsider had access to the systems at his company. Katz, who was CISO at a large
financial firm, would have to tell his boss. And that could be the start of something ugly.

The silver lining for Katz was this: The outsider was an ethical hacker Katz had hired to see if the company’s systems could be penetrated. While it wouldn’t be fun to deliver the news—“the guy had become a user of the system. He could’ve probably gotten access to critical applications,” Katz says—at least it was just a penetration test.

...
..
.

So while some CSOs may be grumbling about pen tests, it’s clear that others want them. As a consultant, Pfeil says pen testing occupies most of his time. “Pen tests were a valuable tool in my life as a CSO, and they still are,” he says. CISOs just need to apply these lessons to make sure they’re getting the value they should.

\"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.